I just noticed that my VPS just expired 3 weeks ago, and there is no way to retrieve it back. That VPS equipped with 128MB RAM, 10GB HDD space for USD4.99 per year (damn cheap).

Then I’m seeking for another poor man VPS. I do not need humongous memory and disk space, just enough for me to SSH and perform remote network troubleshooting (nmap, nslookup, dig, telnet and sometimes for R&D purpose). Ramnode was the best candidate due to their SSD or SSD-Cached disk, but I want to explore another cheap provider.

I found a good deal with HostUS, for USD12 per year they provide:
– 768MB RAM
– 768MB vSwap
– 1 vCPU Core (Fair Use)
– 20GB Disk Space
– 2TB transfer
– 1Gbps uplink
– 1x IPv4
– 4x IPv6
– OpenVZ / Breeze Panel

Breeze Panel is their modified WHCMS integrated with SolusVM (maybe).
vps1
Benchmark:
hwinfo
bench

USD12/year available from this link (affiliate). You can’t find from their main page. While stock last.

p/s: From TM Unifi, I’m getting better latency when I choose London Data Center.
pp/s: You can also use coupon code TOPPROVIDER for 20% off any unmanaged plans on their site

HP Procurve
Download latest firmware from https://h10145.www1.hpe.com/support/SupportLookUp.aspx
ProCurve Switch 2510B-24#copy flash tftp 192.168.1.12 Q_11_07.swi (make a firmware backup to TFTP server)
ProCurve Switch 2510B-24#copy tftp flash 192.168.1.12 Q_11_73.swi primary (download new firmware and overwrite primary storage)
ProCurve Switch 2510B-24#boot system flash primary (optional, to switch to primary image)

3COM (4500G)
<4500>delete /unreserved s3p01_00.web
<4500>delete /unreserved s3n03_01_00s56p01.app
<4500>tftp 192.168.0.1 get s3q05_02_00s168p20.app
<4500>tftp 192.168.0.1 get s3r05_06.btm

Next step is to configure which files will be used by the switch on the next boot.
<4500>boot-loader file flash:/s3q05_02_00s168p20.app
<4500>bootrom update file flash:/s3r05_06.btm
<4500>save

This post shows how to configure a TACACS+ server for system authentication in Juniper SRX with open source tac_plus software.

Brocade IronStack configuration
aaa authentication web-server default local
aaa authentication login default tacacs+ enable local
aaa authentication login privilege-mode
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
tacacs-server host 10.14.14.55
tacacs-server host 10.18.15.145
tacacs-server key NASKEYHERE
tacacs-server timeout 10
ip tacacs source-interface ve 998

reference: http://www1.brocade.com/downloads/documents/html_product_manuals/FI_ICX6650_07500_SCG/wwhelp/wwhimpl/common/html/wwhelp.htm#context=Security-converted&file=FI_Security.03.6.html

This post shows how to configure a TACACS+ server for system authentication in Juniper Netscreen SSG with open source tac_plus software.

Juniper Netscreen SSG Configuration
set auth-server TACACS id 1
set auth-server TACACS server-name 192.168.1.100
set auth-server TACACS backup1 192.168.1.200 (optional)
set auth-server TACACS account-type admin
set auth-server TACACS type tacacs
set auth-server TACACS tacacs secret Tacacssecret1
set auth-server TACACS tacacs port 49
set admin auth server TACACS
set admin auth remote primary
set admin auth remote root
set admin privilege get-external

tac_plus configuration
key = Tacacssecret1
group = netscreen
{
service = netscreen
{
vsys = root
privilege = root
}
}
user = nmsns {
default service = permit
login = file /etc/passwd
member = netscreen
}

This post shows how to configure a TACACS+ server for system authentication in Juniper SRX with open source tac_plus software.

Juniper SRX configuration
Connect to SRX and enter configure mode
[email protected]% cli
{primary:node1}
[email protected]> configure
warning: Clustering enabled; using private edit
warning: uncommitted changes will be discarded on exit
Entering configuration mode{primary:node1}[edit]
[email protected]#

Add a new TACACS+ server and set its IP address.
[email protected]#set tacplus-server address 172.16.98.24

Specify the shared secret (password) of the TACACS+ server.
[email protected]#set tacplus-server 172.16.98.24 secret Tacacssecret1

Specify the device’s loopback address as the source address.
[email protected]#set tacplus-server 172.16.98.24 source-address 10.0.0.1

Set for single connection authentication
[email protected]#set tacplus-server 172.16.98.24 single-connection

Set authentication order
[email protected]# set system authentication-order tacplus
[email protected]# set system authentication-order password

Set accounting logging
[email protected]# set system accounting events login
[email protected]#set system accounting events change-log
[email protected]#set system accounting events interactive-commands
[email protected]#set system accounting destination tacplus

Verify configuration
[email protected]# show system tacplus-server
[email protected]# show system accounting

tac_plus configuration
key = Tacacssecret1
group = srx {
service = junos-exec
{
local-user-name = root
}
}

user = srxadmin {
default service = permit
login = file /etc/passwd
member = srx
}

The purpose of the tutorial is to setup an ads blocking using Bind9 DNS Server. Tutorial is divided into 2 section: Setup Pixelserv and Setup AdBlock script for Bind9.
adblock

1. Setup Pixelserv

Pixelserv is a super minimal webserver, it’s one and only purpose is serving a 1×1 pixel transparent gif file. We will redirect web requests, for adverts, to our pixelserv (running in the same bind9 server).

Install Pixelserv

cd /usr/local/bin/
curl http://proxytunnel.sourceforge.net/files/pixelserv.pl.txt > pixelserv
chmod 755 pixelserv

We now need a simple init script for starting/stopping pixelserv, as /etc/init.d/pixelserv.

#! /bin/sh
# /etc/init.d/pixelserv
#
# Carry out specific functions when asked to by the system
case "$1" in
start)
echo "Starting pixelserv "
/usr/local/bin/pixelserv &
;;
stop)
echo "Stopping script pixelserv"
killall pixelserv
;;
*)
echo "Usage: /etc/init.d/pixelserv {start|stop}"
exit 1
;;
esac

exit 0
chmod 755 /etc/init.d/pixelserv

Add pixelserv to startup

update-rc.d pixelserv defaults

Run pixelserv

/etc/init.d/pixelserv start

bind9

2. AdBlock for Bind9

Create new file, /etc/bind/update.sh

curl "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=bindconfig&showintro=0&mimetype=plaintext" | sed 's/null.zone.file/\/etc\/bind\/nullzonefile.txt/g' > ad-blacklist

Make it executable

chmod +x update.sh

Execute update.sh to download adservers file

./update.sh

Verify file content, make sure the path is changed from:

zone "24pm-affiliation.com" { type master; notify no; file "null.zone.file"; }; to zone "24pm-affiliation.com" { type master; notify no; file "/etc/bind/nullzonefile.txt"; };

Create adblock zone file, we named it as nullzonefile.txt

$TTL    86400   ; one day  
@       IN      SOA     ads.example.com. hostmaster.example.com. (
               2014090102
                    28800
                     7200
                   864000
                    86400 )          
                NS      my.dns.server.org          
                A       $YOUR_DNS_SERVER_IP 
@       IN      A       $YOUR_DNS_SERVER_IP
*       IN      A       $YOUR_DNS_SERVER_IP

Reload bind9 configuration

rndc reload

Test your DNS Server

dig @localhost 24pm-affiliation.com

Should returned your own server ip address.

Reference:
https://charlieharvey.org.uk/page/adblocking_with_bind_apache
The Best Ad Blocking Method
http://box.matto.nl/dnsadblok.html
http://www.deer-run.com/~hal/sysadmin/dns-advert.html

Using BIND to reduce ad server content

This article will guide you step by step to get Bind DNS running.

Install Dependencies:

[email protected]:~# apt-get update
[email protected]:~# apt-get upgrade
[email protected]:~# apt-get install build-essential openssl libssl-dev libdb5.1-dev

Download Bind:

[email protected]:~# wget ftp://ftp.isc.org/isc/bind9/9.9.7/bind-9.9.7.tar.gz

Unpack Bind:

[email protected]:~# tar zxvf bind-9.9.7.tar.gz

Configure and then compile Bind9 source pre:

[email protected]:~# fakeroot ./configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var --enable-threads --enable-largefile --with-libtool --enable-shared --enable-static --with-openssl=/usr  --with-gnu-ld --with-dlz-postgres=no --with-dlz-mysql=no --with-dlz-bdb=yes --with-dlz-filesystem=yes  --with-dlz-stub=yes  CFLAGS=-fno-strict-aliasing --enable-rrl --enable-newstats

If compile success, you will see below screen:

========================================================================
Configuration summary:
------------------------------------------------------------------------
Optional features enabled:
Multiprocessing support (--enable-threads)
Response Rate Limiting (--enable-rrl)
New statistics (--enable-newstats)
Print backtrace on crash (--enable-backtrace)
Use symbol table for backtrace, named only (--enable-symtable)
Dynamically loadable zone (DLZ) drivers:
Berkeley DB (--with-dlz-bdb)
Filesystem (--with-dlz-filesystem)
Stub (--with-dlz-stub)

Features disabled or unavailable on this platform:
GSS-API (--with-gssapi)
PKCS#11/Cryptoki support (--with-pkcs11)
Allow 'fixed' rrset-order (--enable-fixed-rrset)
Automated Testing Framework (--with-atf)
XML statistics (--with-libxml2)
========================================================================

Compile and install bind9:

[email protected]:~# make install

Last step, we need to manually create the /var/cache/bind directory:

[email protected]:~# mkdir /var/cache/bind

Start the service:

[email protected]:~# sudo /etc/init.d bind9 start

Hopefully, bind9 will start just fine.

Explanation:

Tell Bind9 to utilize DLZ (Dynamically Loadable Zones) using BDB.

--with-dlz-postgres=no
--with-dlz-mysql=no
--with-dlz-bdb=yes
--with-dlz-filesystem=yes

Enable Response Rate Limiting, to limit DNS answer and help mitigate DNS amplification attacks

--enable-rrl

Readings:
https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html
https://nlnet.nl/project/bind-dlz/200205-sane/paper.html
http://bind-dlz.sourceforge.net/

I was under impression that allowing icmp in the service policy will enable tracert to work. I was wrong. After scouting around I found below tweaks that will enable tracert to run correctly.

1. Set decrement TTL
ASA# configure terminal
ASA(config)# policy-map global_policy
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# set connection decrement-ttl
ASA(config-pmap-c)# exit

2. Permit icmp control messages
ASA(config)# access-list inbound permit icmp any any time-exceeded
ASA(config)# access-list inbound permit icmp any any unreachable

3. Permit icmp connection, which you should already have 😀
ASA(config)# access-list outbound permit icmp any any

References:
http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/12_4/sec_data_plane_12_4_book/sec_fwall_icmp_insp.html

http://www.petenetlive.com/KB/Article/0000753.htm

Re-post from LYN forum. Credit to ansonlos.

After much try and error and research, I’ve managed to get pfSense to work with UniFi’s IPv6 allocation. For a bit of a background, I’m running the latest release of pfSense i.e. 2.2.1 and also I got this to work with my office’s UniFi which is on Biz 10.

I’d just like to share my settings here to benefit those who might want to get IPv6 to work for their pfSense box.

1. Under “System -> Advanced -> Networking”, make sure “Allow IPv6” is checked. Then go to “Interfaces”, click on “WAN”. Under IPv6 Configuration Type, choose “DHCP6”. MTU should be 1492.

2. Under DHCP6 client configuration section, put a tick mark on “Request a IPv6 prefix/information through the IPv4 connectivity link”. In the drop down list for DHCPv6 Prefix Delegation size, choose “56”. (I have no idea why this is the case, but the allocated subnet for both the PPPoE and LAN are actually 64. I’ve tried choosing 64 here, but it doesn’t work. Maybe 56 is for a Biz account. If 56 doesn’t work for you, try choosing 64 especially if you’re on home UniFi account.)

Also, put a tick mark for “Send an IPv6 prefix hint to indicate the desired prefix size for delegation”. Click on “Save”.
Interface_WAN

3. Now, go to “Interfaces”, click on “LAN”. Under IPv6 Configuration Type, choose “Track Interface”. Type 1492 for MTU.

4. Under Track IPv6 Interface section, ensure IPv6 Interface “WAN” is selected and as for IPv6 Prefix ID, just type 0 (zero) here.

5. Under Private networks section, ensure “Block Bogons networks” is unchecked. Then, click “Save”.

Interface_LAN

6. Finally, I’ve read that IPv6 requires ICMP to work. So under Firewall -> Rules, I’ve also created a rule to allow ICMP IPv6 traffic for both WAN and LAN.

I’m not entirely certain what the security implications are with the above settings to the firewall, so please be forewarned.

With the above settings, I’m able to get IPv6 addresses for PPPoE and LAN interfaces for pfSense and also devices connected to the LAN. Hope this helps those who are using pfSense.